Here You can get some info .
We will provide some nice information regarding Hacking
A person like uuuu... :)
A serious vulnerability found by security researchers on oracle databases. An attacker can perform SQL injection attacks and other advanced attacks, thus they can gain full privilege & traction said security researchers. Is Oracle just paying lip service to database security? Some researchers within the database community think so, complaining that as the software juggernaut has grown with acquisitions, such as the blockbuster Sun deal, it hasn't maintained enough resources to securely develop database products and resolve vulnerabilities disclosed by researchers in a timely fashion.
"I would say easy fixes get done pretty quickly, within three to six months, but things that are harder and need some changes in architecture or have an impact on customers where customers have to make some changes to their products, to their software that uses the databases, those things don't get done in the CPU," said Alex Rothacker, manager of Application Security's research arm, TeamSHATTER. "We have a vulnerability disclosed where basically we can brute force any user's password ... we reported this two years ago and they haven't fixed it yet."
It's a complaint lodged by many researchers, who say that even as Oracle publicly states it wants to work with the research community to fix database issues, it isn't putting its shoulder into the effort. The numbers show that the proportion of quarterly critical patch updates for Oracle database products has diminished considerably over the last two years.
While some might come to the conclusion that there are fewer updates because Oracle's products are getting more secure, researchers say this trend has occurred simultaneously as the window between disclosure of vulnerabilities and patch releases for them has grown wider.
"They respond immediately and say 'Thank you very much for the information' and so on, but it sometimes takes more than a year to actually release a patch," said Slavik Markovich, VP and CTO of database security for McAfee. "I get the feeling that they don't invest enough or have enough people working on this so it takes a long time to patch." In the meantime, too, new database products--some of them security related, even--are released with the same type of vulnerabilities that researchers have been alerting Oracle to for years.
Facebook users facing Facebook Porn and Gore Exploit. The content, which includes explicit hardcore porn images, photoshopped photos of celebrities such as Justin Bieber in sexual situations, pictures of extreme violence and even a photograph of an abused dog, have been distributed via the site - seemingly without the knowledge of users.
Facebook users’ outrage is mounting toward the social network for an exploit that is currently turning unsuspecting users’ newsfeeds into unstoppable torrents of hardcore pornography and gory, violent pictures. It started a few days ago, and right now is becoming an out of control exploit that has users angry and disgusted, while seemingly mocking Facebook’s notorious conservative content controls.
The onslaught has many asking the question if this is a delayed attack originally set for November 5th by the online hacker group 'Anonymous'.
Members of a group called CabinCr3w, a hacking gang affiliated with Anonymous, revealed phone numbers, an address, email address and financial information on Vikram Pandit, Citigroup's chief executive officer. The expose follows the arrest of a group of anti-capitalist protesters who allegedly sparked a ruckus inside a Citibank branch while withdrawing funds and closing their accounts. Previously more than 200K customer accounts was stolen from Citibank. About 24 people were detained and charged with criminal trespass on Saturday afternoon.
In a statement, Citibank said only one of the protesters was actually trying to close an account, a request that it said was accommodated. The rest of the group were causing a nuisance and were repeatedly asked to leave before the New York City plod were called.
CabinCr3w previously published the personal information on the chief executives of JP Morgan Chase and Goldman Sachs. It also published the details of an NYPD officer accused of pepper-spraying Occupy Wall Street protesters.
Million ASP.Net web sites affected with mass SQL injection attack
Hackers are in the midst of a massively successful SQL injection attack targeting websites built on Microsoft's ASP.Net platform. About 180,000 pages have been affected so far, security researchers say.
Attackers have planted malicious JavaScript on ASP.Net sites that causes the browser to load an iframe with one of two remote sites: www3.strongdefenseiz.in and www2.safetosecurity.rr.nu, according to security researchers at Armorize who discovered the attack. From there, the iframe attempts to plant malware on the visitor's PC via a number of browser drive-by exploits.
A drive-by exploit will load malware without a visitor's knowledge or participation (no need to open a file or click on a link). Fortunately, the attackers are using known exploits, with patches available, so the attack can only be successful if a visitor is using an outdated, unpatched browser without the latest version ofAdobe PDF or Adobe Flash or Java.
Unfortunately, Armorize says that only a few of the most popular antivirus vendors can detect the dropped malware, according to the Virustotal web site. Virtustotal is a security monitoring service offered by Hispasec Sistemas that analyzes suspicious files and URLs. At this time, it says that six antivirus packages out of the 43 it monitors can detect this latest SQL injection attack.
These are AntiVir, ByteHero, Fortinet, Jiangmin, McAfee and McAfee-GW-Edition.The attack is targeting users whose default browser language is English, French, German, Italian, Polish or Breton. One of the sites accessed via the iframe is in Russia, the other is in the United States and is hosted by HostForWeb.com, Armorize says. Some of the planted malware accesses a site hosted in the United States, too.
Users are advised to take advantage of NoScript in order to protect themselves from this, and many other Web based threats.
Attackers have planted malicious JavaScript on ASP.Net sites that causes the browser to load an iframe with one of two remote sites: www3.strongdefenseiz.in and www2.safetosecurity.rr.nu, according to security researchers at Armorize who discovered the attack. From there, the iframe attempts to plant malware on the visitor's PC via a number of browser drive-by exploits.
A drive-by exploit will load malware without a visitor's knowledge or participation (no need to open a file or click on a link). Fortunately, the attackers are using known exploits, with patches available, so the attack can only be successful if a visitor is using an outdated, unpatched browser without the latest version ofAdobe PDF or Adobe Flash or Java.
Unfortunately, Armorize says that only a few of the most popular antivirus vendors can detect the dropped malware, according to the Virustotal web site. Virtustotal is a security monitoring service offered by Hispasec Sistemas that analyzes suspicious files and URLs. At this time, it says that six antivirus packages out of the 43 it monitors can detect this latest SQL injection attack.
These are AntiVir, ByteHero, Fortinet, Jiangmin, McAfee and McAfee-GW-Edition.The attack is targeting users whose default browser language is English, French, German, Italian, Polish or Breton. One of the sites accessed via the iframe is in Russia, the other is in the United States and is hosted by HostForWeb.com, Armorize says. Some of the planted malware accesses a site hosted in the United States, too.
Users are advised to take advantage of NoScript in order to protect themselves from this, and many other Web based threats.
iPhone can be used as spy phone to get desktop Keystrokes
What if a hacker could log every key you typed on your PC by placing a cellphone nearby? US researchers have shown how this is possible using any smartphone available today.
At a conference in Chicago on Thursday, a group of computer researchers from Georgia Tech will report on another potential threat. The researchers have shown that the accelerometer and orientation sensor of a phone resting on a surface can be used to eavesdrop as a password is entered using a keyboard on the same surface. They were able to capture the words typed on the keyboard with as much as 80 percent accuracy.
Normally when security researchers describe spyware on smartphones, they mean malicious code that can be used to snoop on calls, or to steal the data held on mobile phones.In this case, however, researchers have described how they have put software on smartphones to spy on activity outside the phone itself - specifically to track what a user might be doing on a regular desktop keyboard nearby.
The typing detection works by “using a smartphone accelerometer – the internal device that detects when and how the phone is tilted – to sense keyboard vibrations as you type to decipher complete sentences with up to 80% accuracy,” according to the Institute.
"We first tried our experiments with an iPhone 3GS, and the results were difficult to read," said Patrick Traynor of Georgia Tech. "But then we tried an iPhone 4, which has an added gyroscope to clean up the accelerometer noise, and the results were much better. We believe that most smartphones made in the last two years are sophisticated enough to do this attack."
As phone technology improves, attacks via the accelerometer could become more feasible. The researchers' initial experiments used Apple's iPhone 3GS, but the phone's accelerometer lacked the necessary sensitivity. The researchers then moved to the iPhone 4, which uses a gyroscope to remove noise from the accelerometer data, and had much greater success.
At a conference in Chicago on Thursday, a group of computer researchers from Georgia Tech will report on another potential threat. The researchers have shown that the accelerometer and orientation sensor of a phone resting on a surface can be used to eavesdrop as a password is entered using a keyboard on the same surface. They were able to capture the words typed on the keyboard with as much as 80 percent accuracy.
Normally when security researchers describe spyware on smartphones, they mean malicious code that can be used to snoop on calls, or to steal the data held on mobile phones.In this case, however, researchers have described how they have put software on smartphones to spy on activity outside the phone itself - specifically to track what a user might be doing on a regular desktop keyboard nearby.
The typing detection works by “using a smartphone accelerometer – the internal device that detects when and how the phone is tilted – to sense keyboard vibrations as you type to decipher complete sentences with up to 80% accuracy,” according to the Institute.
"We first tried our experiments with an iPhone 3GS, and the results were difficult to read," said Patrick Traynor of Georgia Tech. "But then we tried an iPhone 4, which has an added gyroscope to clean up the accelerometer noise, and the results were much better. We believe that most smartphones made in the last two years are sophisticated enough to do this attack."
As phone technology improves, attacks via the accelerometer could become more feasible. The researchers' initial experiments used Apple's iPhone 3GS, but the phone's accelerometer lacked the necessary sensitivity. The researchers then moved to the iPhone 4, which uses a gyroscope to remove noise from the accelerometer data, and had much greater success.
"The way we see this attack working is that you, the phone's owner, would request or be asked to download an innocuous-looking application, which doesn't ask you for the use of any suspicious phone sensors," said Henry Carter, one of the study's co-authors . "Then the keyboarddetection malware is turned on, and the next time you place your phone next to the keyboard , it starts listening."
HDFC Bank Database Hacked by zSecure team using SQL injection vulnerability
Website: www.hdfcbank.com
Vulnerability Type: Hidden SQL Injection Vulnerability
Database Type: MSSQL with Error
Vulnerability Discovered: 15-July-2011
Alert Level: Critical
Threats: Complete Database Access, Database Dump, Shell Uploading
Credit: zSecure Team
Proof of Vulnerability
About HDFC Bank
HDFC Bank deals with three key business segments. – Wholesale Banking Services, Retail Banking Services, Treasury. It has entered the banking consortia of over 50 corporates for providing working capital finance, trade services, corporate finance and merchant banking. It is also providing sophisticated product structures in areas of foreign exchange and derivatives, money markets and debt trading and equity research.
Source:
zSecure team is back in news again, this time they have discovered a critical SQL injection vulnerability in HDFC Bank's Web Portal. Using this critical flaw HDFC Bank's various databases can be accessed and dumped as well. This critical flaw really affects the customer realtions of HDFC Bank's and this really questions the existing security in place within bank. HDFC Bank is the leading bank in India but they lack behind the basic security that needs to be implemented. zSecure team claimed in their blog post that even after sending them complete details about the vulnerability and even after conducting the vulnerability assessment from the third party service provider they were not able to discover this critical falw which existed in their web portal. This really raises a big question on their existing security policy.
What would have happened if somone else would have gained acceess to this critical flaw, their entire database would've been dumped, their web-site would have been defaced and much more. HDFC Bank's really needs to think on this matter again.
General InformationWhat would have happened if somone else would have gained acceess to this critical flaw, their entire database would've been dumped, their web-site would have been defaced and much more. HDFC Bank's really needs to think on this matter again.
Website: www.hdfcbank.com
Vulnerability Type: Hidden SQL Injection Vulnerability
Database Type: MSSQL with Error
Vulnerability Discovered: 15-July-2011
Alert Level: Critical
Threats: Complete Database Access, Database Dump, Shell Uploading
Credit: zSecure Team
Proof of Vulnerability
HDFC Bank deals with three key business segments. – Wholesale Banking Services, Retail Banking Services, Treasury. It has entered the banking consortia of over 50 corporates for providing working capital finance, trade services, corporate finance and merchant banking. It is also providing sophisticated product structures in areas of foreign exchange and derivatives, money markets and debt trading and equity research.
Source:
#OpFacebook : Facebook will be down on November 5 by Anonymous Hackers Attack
Anonymous has vowed to "destroy" Facebook on Nov. 5. Or more accurately, somebody has set up aTwitter account and YouTube channel to announce a plan dubbed "Operation Facebook."
In a YouTube video, the hacking group warns, "Your medium of communication you all so dearly adore will be destroyed." "If you are a willing hacktivist or a guy who just wants to protect the freedom of information then join the cause and kill Facebook for the sake of your own privacy."The group said in its message that "Operation Facebook" would be begin November 5. It claimed the social network, based in Palo Alto,Calif., provides information to "government agencies" so they can "spy on people." If Operation Facebook is real, it could mark a new phase for Anonymous, which in recent weeks has joined forces with the remnants of the more tightly knit hacker group LulzSec to target law enforcement agencies in an ongoing operation called Antisec.
UPDATE :
Whereas one of the Anonymous Leader Claim that "Operation Facebook" is Fake. He tweeted as shown below.
Press Release of Operation Facebook :
Here's the Anonymous press release and accompanying video message:
Operation Facebook
DATE: November 5, 2011.
TARGET: https://facebook.com
Press:
Twitter : https://twitter.com/OP_Facebook
http://piratepad.net/YCPcpwrl09
Irc.Anonops.Li #OpFaceBook
Message:
Attention citizens of the world,
We wish to get your attention, hoping you heed the warnings as follows:
Your medium of communication you all so dearly adore will be destroyed. If you are a willing hacktivist or a guy who just wants to protect the freedom of information then join the cause and kill facebook for the sake of your own privacy.
Facebook has been selling information to government agencies and giving clandestine access to information security firms so that they can spy on people from all around the world. Some of these so-called whitehat infosec firms are working for authoritarian governments, such as those of Egypt and Syria.
Everything you do on Facebook stays on Facebook regardless of your "privacy" settings, and deleting your account is impossible, even if you "delete" your account, all your personal info stays on Facebook and can be recovered at any time. Changing the privacy settings to make your Facebook account more "private" is also a delusion. Facebook knows more about you than your family.
http://www.physorg.com/news170614271.html
http://itgrunts.com/2010/10/07/facebook-steals-numbers-and-data-from-your-iphone/
You cannot hide from the reality in which you, the people of the internet, live in. Facebook is the opposite of the Antisec cause. You are not safe from them nor from any government. One day you will look back on this and realise what we have done here is right, you will thank the rulers of the internet, we are not harming you but saving you.
The riots are underway. It is not a battle over the future of privacy and publicity. It is a battle for choice and informed consent. It's unfolding because people are being raped, tickled, molested, and confused into doing things where they don't understand the consequences. Facebook keeps saying that it gives users choices, but that is completely false. It gives users the illusion of and hides the details away from them "for their own good" while they then make millions off of you. When a service is "free," it really means they're making money off of you and your information.
Think for a while and prepare for a day that will go down in history. November 5 2011, #opfacebook . Engaged.
This is our world now. We exist without nationality, without religious bias. We have the right to not be surveilled, not be stalked, and not be used for profit. We have the right to not live as slaves.
We are anonymous
We are legion
We do not forgive
We do not forget
Expect us
For the second time this year, Citigroup has suffered a major breach of its credit customers’ personal information; this time the breach involved 92,400 customers at its Japanese unit. Citigroup's Japanese credit card unit said personal information for more than 92,000 of its customers was illegally sold to a third party.
The information exposed included the names, account numbers addresses, phone numbers birthdates, and sex of 92,408 credit card holders, Citi Cards Japan warned in an advisory (PDF) issued Friday. The personal identification numbers and card security codes were not accessed.
Citi Cards Japan did not mention how customer information was obtained as the sale of such information is currently under investigation. “While the risk of fraud is minimal due to the absence of security information, CCJ has placed internal fraud alerts and enhanced monitoring on all accounts identified, and no unusual or suspicious credit cards transactions relating to these customers have been detected at this point,” according to Citi Card Japan’s statement.
However, Citigroup disclosed that credit card customers had $2.7 million stolen from their accounts as a result of the June data breach. While victimized customers can get new account numbers and aren't responsible for unauthorized charges, consumers have become increasingly wary of how their information is handled by big companies, especially those that handle their money.
Hacked Site:-
http://vfirstmarketing.in/
Mirror Link:-
http://zone-h.org/mirror/id/14536395
Message Spread by Xahra:-
"Free Kashmir & Palestine! - Palestine + Kashmir = One Struggle. // End the Occupation. . . .
Everyday 100s of innocent people are abused, raped and even killed in palestine & kashmir by the indian & israli army, a third of the deaths are children, who are the real soldiers? the child holding a stone or the stranger holding a gun? - we dont want war, take back ur men, ur tanks and ur guns and go back to were you came from, all we ask is for freedom, you can kill us but you cant kill us all, we shall not give up, giving up is not a option. Freedom is our goal..."
After Hack of Italy's Police IT network, Anonymous Hackers Just now Release the Database of vitrociset.it via a pastebin link on Twitter. The Leak include the Administrator's Password and 100's of other users Login Details.
Facebook is set to announce today a bug bounty program in which researchers will be paid for reporting security holes on the popular social-networking Web site.
Compensation, which starts at $500 and has no maximum set, will be paid only to researchers who follow Facebook's Responsible Disclosure Policy and agree not to go public with the vulnerability information until Facebook has fixed the problem.
Facebook Chief Security Officer Joe Sullivan told that "Typically, it's no longer than a day" to fix a bug,
Facebook's Whitehat page for security researchers says:
"If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you."
The compensation program is a good way to provide an incentive and show appreciation to the research community for helping keep Facebook safe for users, according to the company's security team. Up until now, researchers received recognition on the Facebook Whitehat page, maybe some"swag," and--if they were lucky--a job.
"Some of our best engineers have come to work here after pointing out security bugs on our site," likeRyan McGeehan, manager of Facebook's security response team, said Alex Rice, product security lead at Facebook. (Facebook also recently hired famed iPhone jailbreaker and Sony PlayStation 3 hacker George Hotz, who works on security issues.)
Meanwhile, Facebook is allowing security researchers a way to create test accounts on Facebook to ensure they don't violate terms of use or impact other Facebook users, Rice and McGeehan said.
Facebook is following in the steps of Mozilla, which launched its bug bounty program in 2004, and Google, which offers a bug bounty program with payments ranging from $500 to more than $3,000 for finding Web security holes, as well as a program specifically for Chrome bugs.
Microsoft has offered bounties of $250,000 for information leading to the arrest of virus writers, but does not pay researchers who find bugs in its software. However, other companies do, like TippingPoint's Zero Day Initiative.
Researchers typically are paid more for finding bugs in desktop software, which can take much longer to fix and to update software on computers than bugs in Web-based software, which can be fixed much more quickly.
According To FACEBOOK:-
Eligibility
To qualify for a bounty, you must:
- Adhere to our Responsible Disclosure Policy:
... give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research ... - Be the first person to responsibly disclose the bug
- Report a bug that could compromise the integrity or privacy of Facebook user data, such as:
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF/XSRF)
- Remote Code Injection
- Reside in a country not under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.)
Our security team will assess each bug to determine if qualifies.
Rewards
- A typical bounty is $500 USD
- We may increase the reward for specific bugs
- Only 1 bounty per security bug will be awarded
Exclusions
The following bugs aren't eligible for a bounty (and we don't recommend testing for these):
- Security bugs in third-party applications (e.g., http://apps.facebook.com/[app_name])
- Security bugs in third-party websites that integrate with Facebook
- Security bugs in Facebook's corporate infrastructure
- Denial of Service Vulnerabilities
- Spam or Social Engineering techniques
-News Sourec (FACEBOOK & Cnet)
